What should a solutions architect do to secure the data?
Use client-side encryption with an Amazon RDS managed key.
Use client-side encryption with an AWS Key Management Service (AWS KMS) customer managed key.
Use Amazon RDS encryption with an AWS Key Management Service (AWS KMS) default encryption key.
Use AWS Secrets Manager to manage database users. Encrypt secrets with an AWS Key Management Service (AWS KMS) customer managed key. Enable RDS encryption.
Explanations:
Client-side encryption means the data is encryptedbeforeit’s sent to the database. While this provides strong security, it requires significant changes to the application. Also, using anAmazon RDS managed keyfor client-side encryption is not a standard or supported practice. RDS manages keys for server-side encryption, not client-side.
Using client-side encryption with a customer-managed KMS key is a valid security measure, but it still requires application changes. The goal is to minimize changes while ensuring data is not accessible to IT staff.
Using RDS encryption with an AWS KMSdefault encryption keyencrypts the data at rest, but it doesnot prevent IT staff with administrative access to the database from viewing the data. Database administrators typically have access to the data regardless of server-side encryption.
This is the most appropriate solution. UsingSecrets Managerto manage database credentials and encrypting those secrets with acustomer managed KMS keyallows you to control who can access the database credentials. This effectively prevents IT staff with general administrative access from accessing the data, as they would need permissions to decrypt the secrets in Secrets Manager. Enabling RDS encryption provides encryption at rest, which is a good security practice but does not solely address the requirement of preventing IT staff access. Combining Secrets Manager with KMS and RDS encryption provides the required level of security without requiring application changes.